NIS2 directive explained: Part 3 - Supply chain security

Introduction

The requirement of NIS2 that in-scope entities adopt measures to ensure the security of its immediate supply chain is one of the lesser discussed aspects of the Directive. However, given the many actions which could flow from this requirement, including the renegotiation of supplier contracts, enhanced due diligence and potentially even the need to swap out suppliers whose cybersecurity standards fall short, this requirement could turn out to be one of the more exacting and time-consuming elements of an organisation's NIS2 compliance journey. In this article, we unpack what NIS2 says about supply chains and how this is expanded upon by relevant EU guidance to inform key steps to compliance. We also explore what these provisions might mean for the indirect application of NIS2 who have otherwise concluded they are out of scope of the Directive.

What does NIS2 say about supply chain security?

Blink and you might miss it. The Supply chain requirements of NIS2 are described in brief terms. Included in the list of 10 core cybersecurity risk management measures which sit at the heart of an in-scope entity's compliance, NIS2 requires those measures to include "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers". It adds that organisations should take into account the vulnerabilities specific to each direct supplier, as well as the overall quality of products and cybersecurity practices of each supplier.

NIS2 contains no further guidance on how the security of a supply chain is best achieved, although the recitals to NIS2 are helpful, stating that in-scope entities "should in particular be encouraged to incorporate cybersecurity risk-management measures into contractual arrangements with their direct suppliers and service providers".

Happily the absence of detail at a core Directive level has been supplemented by the EU Commission's Implementing Regulation on Critical Entities and Networks (C(2024)7151) ("Implementing Regulation") which became directly applicable law on 17 October 2024. While the Implementing Regulation only applies to those entities broadly described as "digital entities" (including cloud and data centre services, managed service providers, providers of online market places and search engines amongst others), it nevertheless provides useful (albeit not binding) guidance for other in-scope entities.

The Implementing Regulation has since been supplemented by ENISA's Technical Implementation Guidance (v1.0, June 2025) ("ENISA Guidance") which provides additional practical guidance on how the measures set out in the Implementing Regulation can be achieved and evidenced.

What are the key actions to achieving supply chain security?

According to the Implementing Regulation and the ENISA Guidance, the following will be the key next steps for an in-scope organisation:

1. Create a supply chain security policy setting out minimum security requirements for suppliers and vendors which should be communicated directly to suppliers and should also feed into procurement and outsourcing policies. The policy should influence outsourcing criteria for the selection of suppliers by focusing on their cybersecurity practices, their ability to meet the entity's security needs, and the quality and resilience of any relevant ICT products and services. The policy should be regularly updated and reviewed.
2. Undertake a supply chain risk assessment which considers which of the suppliers in an entity's supply chain are likely to be in scope of the NIS2 supply chain obligations. This should take into account the risks associated with each supplier considering the nature of the services and their track record with cyber incidents, and in particular their potential to impact on the in-scope entity's network and information systems.
3. Contractual flow-downs should be applied to suppliers identified as being in-scope of the NIS2 supply chain obligations under the risk assessment described above. This involves evaluating if current contracts meet NIS2 requirements, or updating terms as needed. The Implementing Regulation suggests including clauses on cybersecurity, employee skills and awareness, incident reporting and audit rights amongst others.
4. Maintain a register of in-scope suppliers which should be updated and managed, including regular risk-management activity such as unscheduled reviews or audits, regular monitoring of relevant service levels, reviewing incidents and analysing risks presented by changes to relevant products and services.

Which suppliers are likely to be in scope of the supply chain obligations?

The main requirement for in-scope organizations is to secure their direct suppliers, but not necessarily the entire supply chain. However, the non-binding recitals of NIS2 indicate that organisations should assess the cybersecurity and overall quality of both direct suppliers and their suppliers in turn. This is then echoed by the Implementing Regulation which states that contract terms should include cybersecurity requirements for subcontractors of direct suppliers, implying that NIS2 standards should extend further than the direct supply chain.

The question of which of those direct suppliers will be in scope of the supply chain obligations will be tricker, particularly for organisations with a complex and wide-reaching supplier landscape. The focus of NIS2 appears to be on those suppliers that could lead to disruptions in the availability, integrity, authenticity and confidentiality of the network and information systems. This suggests a focus on suppliers of an ICT service or application or who otherwise have access to a network or information system operated by the customer organisation or to data processed on that network or information system.

This suggests that other suppliers, for example those providing materials or infrastructure which are key to supporting a critical in-scope service will not be in scope of the supply chain obligations. While this might seem counterintuitive, since a cyber incident affecting these suppliers could cause significant disruption to the provision of critical services, this exclusion aligns with NIS2's incident notification rules, which apply only to significant incidents compromising data or services offered by, or accessible via network and information systems.

It may nevertheless be seen as good practice for in-scope organisations to extend cybersecurity flow-downs to any members of their supply chain who could have a significant impact on the availability of in-scope services. This not only helps to protect the stability and continuity of critical services but also helps to ensure operational resilience more broadly.

What might be the key hurdles to achieving supply chain security?

Organisations face the daunting task of performing gap analyses against a raft of existing contract clauses, as well as potentially amending in-house templates. While a robust set of cybersecurity requirements which already align to international cybersecurity standards may not need much by way of amendment, it is likely that existing incident notification obligations, for example, will fall short of meeting the exacting notification timelines under NIS2, nor the broader parameters of a reportable incident.

Organisations may also face challenges when attempting to amend contracts with large ICT suppliers that hold significant market positions. The outcome often depends on the customer's commercial leverage and the supplier’s willingness to modify their standard terms (which may be more forthcoming if they are themselves in scope of NIS2). If suppliers remain unwilling to cooperate, customers might need to address risks to their network and information systems through alternative measures, such as conducting audits or, where feasible, exercising termination for convenience rights.

The Indirect Effect of NIS2

While the thrust of this article has explored the key actions which will be required of an organisation which has been assessed to be in-scope of NIS2, it is clear that for suppliers on the supply chain of in-scope customers, the result of contract flow-downs and supply chain policies will be an indirect impact of NIS2 on their business. For organisations who are routinely on the supply chain of in-scope customers, it is likely that they will start to see an increase in questionnaires from customers seeking to understand their cybersecurity compliance. Requests to renegotiate contacts may follow, and new contracts are likely to start including more detailed NIS2 requirements as industry's response to the Directive develops.

Conclusion

Supply chain security constitutes one of the ten fundamental cybersecurity requirements central to the NIS2 directive. This aspect is anticipated to prompt considerable activity, especially among in-scope organisations whose essential services rely on complex supply chains. Organisations that participate in these supply chains should prepare for heightened attention to cybersecurity, including more rigorous customer assessments and stricter obligations concerning incident reporting and downstream supply chain security. While the Implementing Regulation and ENISA Guidance has provided helpful advice on next steps, as with all aspects of NIS2, it will be interesting to see how these obligations develop through Member State guidance and sector practices.

Post-script: Digital Omnibus

While not directly relevant to NIS2's supply chain requirements, it is worth noting that the newly published EU Digital Ombnibus is seeking to simplify a number of regulations across the Digital Decade suite, including NIS2. The most prominent change will be the introduction of a single streamlined incident notification portal which will benefit the reporting of significant incidents under NIS2, but also similar notifications under GDPR, the Cyber Resilience Act and DORA. This will be a welcome change for organisations in scope of multiple laws, as well as for those supply chains who are required to assist in-scope customers with their reporting obligations.

You can read more about the Digital Omnibus changes in our summary here: